The anti-executable built into your Linux distro

Discussion in 'other anti-malware software' started by Gullible Jones, Dec 9, 2014.

  1. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,461
    Do I have your attention? :)

    It turns out sudo includes a library (usually /usr/lib/sudo/sudo_noexec.so) that does what my stub library did, but better - it wraps all of glibc's exec and spawn functions with fake ones that do nothing. It was originally put there to prevent shell escapes in editors and such. Not foolproof, but better than nothing.

    Code:
    $ strings /usr/lib/sudo/sudo_noexec.so
    |`3f
    __gmon_start__
    _init
    _fini
    _ITM_deregisterTMCloneTable
    _ITM_registerTMCloneTable
    __cxa_finalize
    _Jv_RegisterClasses
    execl
    __errno_location
    execle
    execlp
    execv
    execvp
    execvpe
    fexecve
    posix_spawn
    posix_spawnp
    libc.so.6
    _edata
    __bss_start
    _end
    libsudo_noexec.so
    GLIBC_2.2.5
    fffff.
    fffff.
    fffff.
    ;*3$"
    
    Load it into an application on start, and that application will not be able to run other applications, barring some serious tampering inside its memory space.

    e.g.

    Code:
    LD_PRELOAD=/usr/lib/sudo/sudo_noexec.so /usr/lib/firefox/firefox
    This alone is not a comprehensive security strategy. But I do think it may have a place as part of one.
     
  2. Yuki2718

    Yuki2718 Registered Member

    Joined:
    Aug 15, 2014
    Posts:
    1,257
    If I understand it correctly, it's good to know they take precaution against possible privilege escalation scenario.
     
Loading...